--- xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex | 39 +++++++ xen-unstable.hg/tools/libxen/include/xen/api/xen_xspolicy.h | 13 ++ xen-unstable.hg/tools/libxen/src/xen_xspolicy.c | 18 +++ xen-unstable.hg/tools/python/xen/util/acmpolicy.py | 15 ++ xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py | 15 ++ xen-unstable.hg/tools/python/xen/util/xsm/dummy/dummy.py | 4 xen-unstable.hg/tools/python/xen/xend/XendXSPolicy.py | 32 ++++++ xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py | 17 +++ xen-unstable.hg/tools/python/xen/xm/resetpolicy.py | 61 ------------ 9 files changed, 153 insertions(+), 61 deletions(-) Index: root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/acmpolicy.py +++ root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py @@ -86,7 +86,7 @@ DEFAULT_policy = \ " \n" +\ " \n" +\ " \n" +\ -" SystemManagement\n" +\ +" SystemManagement\n" +\ " \n" +\ " SystemManagement\n" +\ " \n" +\ @@ -99,8 +99,11 @@ DEFAULT_policy = \ "\n" -def get_DEFAULT_policy(): - return DEFAULT_policy +def get_DEFAULT_policy(dom0label=""): + fromnode = "" + if dom0label != "": + fromnode = " from=\"%s\"" % dom0label + return DEFAULT_policy % fromnode def initialize(): xoptions = XendOptions.instance() @@ -375,6 +378,12 @@ class ACMPolicy(XSPolicy): force_default_policy = classmethod(force_default_policy) + def get_reset_policy_xml(klass): + dom0_label = security.get_ssid(0)[1] + return get_DEFAULT_policy(dom0_label) + + get_reset_policy_xml = classmethod(get_reset_policy_xml) + def __do_update_version_check(self, acmpol_new): acmpol_old = self Index: root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py +++ root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py @@ -86,6 +86,7 @@ xmlrpc_exports = [ 'list_labels', 'get_labeled_resources', 'set_policy', + 'reset_policy', 'get_policy', 'activate_policy', 'rm_bootpolicy', @@ -567,6 +568,20 @@ def set_policy(xs_type, xml, flags, over err(str(e)) +def reset_policy(): + """ + Xend exports this function via XML-RPC + """ + from xen.xend import XendXSPolicyAdmin + xspoladmin = XendXSPolicyAdmin.XSPolicyAdminInstance() + try: + acmpol, rc, errors = \ + xspoladmin.reset_acmpolicy() + return rc, base64.b64encode(errors) + except Exception, e: + err(str(e)) + + def get_policy(): """ Xend exports this function via XML-RPC Index: root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py @@ -179,6 +179,23 @@ class XSPolicyAdmin: self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors) + + def reset_acmpolicy(self): + """ + Attempt to reset the system's policy by udating it with + the DEFAULT policy. + """ + from xen.xend import XendDomain + domains = XendDomain.instance() + try: + domains.domains_lock.acquire() + xml = ACMPolicy.get_reset_policy_xml() + flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD + return self.__add_acmpolicy_to_system(xml, flags, True) + finally: + domains.domains_lock.release() + + def make_boot_policy(self, acmpol): if acmpol.is_default_policy(): return xsconstants.XSERR_SUCCESS Index: root/xen-unstable.hg/tools/libxen/include/xen/api/xen_xspolicy.h =================================================================== --- root.orig/xen-unstable.hg/tools/libxen/include/xen/api/xen_xspolicy.h +++ root/xen-unstable.hg/tools/libxen/include/xen/api/xen_xspolicy.h @@ -240,6 +240,19 @@ xen_xspolicy_set_xspolicy(xen_session *s bool overwrite); + +/** + * Attempt to reset the system's policy to the DEFAULT policy for the + * respective policy type. This is done by updating the system and therefore + * underlies the same restrictions of a policy update. This operation may + * for example fail if other domains than Domain-0 are running and have + * different labels than Domain-0. + */ +bool +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, + xs_type type); + + /** * Remove any policy from having the system booted with. */ Index: root/xen-unstable.hg/tools/libxen/src/xen_xspolicy.c =================================================================== --- root.orig/xen-unstable.hg/tools/libxen/src/xen_xspolicy.c +++ root/xen-unstable.hg/tools/libxen/src/xen_xspolicy.c @@ -225,6 +225,24 @@ xen_xspolicy_set_xspolicy(xen_session *s bool +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, + xs_type type) +{ + abstract_value param_values[] = + { + { .type = &abstract_type_int, + .u.int_val = type }, + }; + + abstract_type result_type = xen_xs_policystate_abstract_type_; + + *result = NULL; + XEN_CALL_("XSPolicy.reset_xspolicy"); + return session->ok; +} + + +bool xen_xspolicy_get_xspolicy(xen_session *session, xen_xs_policystate **result) { abstract_value param_values[] = Index: root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicy.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendXSPolicy.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicy.py @@ -43,6 +43,7 @@ class XendXSPolicy(XendBase): def getFuncs(self): funcs = [ 'get_xstype', 'set_xspolicy', + 'reset_xspolicy', 'get_xspolicy', 'rm_xsbootpolicy', 'get_resource_label', @@ -104,6 +105,36 @@ class XendXSPolicy(XendBase): raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) return polstate + + def reset_xspolicy(self, xstype): + xstype = int(xstype) + polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0, + 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 } + if xstype == xsconstants.XS_POLICY_ACM: + poladmin = XSPolicyAdminInstance() + try: + (xspol, rc, errors) = poladmin.reset_acmpolicy() + if rc != 0: + polstate.update( { 'xserr' : rc, + 'errors': base64.b64encode(errors) } ) + else: + ref = xspol.get_ref() + polstate = { + 'xs_ref' : ref, + 'flags' : poladmin.get_policy_flags(xspol), + 'type' : xstype, + 'repr' : "", + 'version': xspol.get_version(), + 'errors' : base64.b64encode(errors), + 'xserr' : rc, + } + except Exception, e: + raise + else: + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) + return polstate + + def activate_xspolicy(self, flags): flags = int(flags) rc = -xsconstants.XSERR_GENERAL_FAILURE @@ -162,6 +193,7 @@ class XendXSPolicy(XendBase): get_xstype = classmethod(get_xstype) get_xspolicy = classmethod(get_xspolicy) set_xspolicy = classmethod(set_xspolicy) + reset_xspolicy = classmethod(reset_xspolicy) rm_xsbootpolicy = classmethod(rm_xsbootpolicy) set_resource_label = classmethod(set_resource_label) get_resource_label = classmethod(get_resource_label) Index: root/xen-unstable.hg/tools/python/xen/xm/resetpolicy.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xm/resetpolicy.py +++ root/xen-unstable.hg/tools/python/xen/xm/resetpolicy.py @@ -26,40 +26,6 @@ from xen.xm.main import server from xen.util import xsconstants from xen.util.acmpolicy import ACMPolicy -DOM0_UUID = "00000000-0000-0000-0000-000000000000" - -DEFAULT_policy_template = \ -"" +\ -"" +\ -" " +\ -" DEFAULT" +\ -" 1.0" +\ -" " +\ -" " +\ -" " +\ -" SystemManagement" +\ -" " +\ -" " +\ -" " +\ -" " +\ -" SystemManagement" +\ -" " +\ -" " +\ -" " +\ -" " +\ -" " +\ -" SystemManagement" +\ -" " +\ -" SystemManagement" +\ -" " +\ -" " +\ -" " +\ -" " +\ -" " +\ -" " +\ -" " +\ -"" - def help(): return """ @@ -69,16 +35,6 @@ def help(): since otherwise this operation will fail. """ -def get_reset_policy_xml(dom0_seclab): - if dom0_seclab == "": - return DEFAULT_policy_template % "" - else: - poltyp, policy, label = dom0_seclab.split(":") - if label != "SystemManagement": - return DEFAULT_policy_template % \ - (" from=\"%s\"" % label) - else: - return DEFAULT_policy_template % "" def resetpolicy(): msg = None @@ -99,13 +55,8 @@ def resetpolicy(): not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." - seclab = server.xenapi.VM.get_security_label(DOM0_UUID) - xml = get_reset_policy_xml(seclab) try: - policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, - xml, - flags, - True) + policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) except Exception, e: raise security.XSMError("An error occurred resetting the " "policy: %s" % str(e)) @@ -130,14 +81,8 @@ def resetpolicy(): not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." - seclab = server.xend.security.get_domain_label(0) - if seclab[0] == '\'': - seclab = seclab[1:] - xml = get_reset_policy_xml(seclab) - rc, errors = server.xend.security.set_policy(xs_type, - xml, - flags, - True) + rc, errors = server.xend.security.reset_policy() + if rc != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") Index: root/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex =================================================================== --- root.orig/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex +++ root/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex @@ -14735,6 +14735,45 @@ xs\_policystate State information about the policy. In case an error occurred, the 'xs\_err' field contains the error code. The 'errors' may contain further information about the error. + \vspace{0.3cm} +\vspace{0.3cm} +\vspace{0.3cm} +\subsubsection{RPC name:~reset\_xspolicy} + +{\bf Overview:} +Attempt to reset the system's policy by installing the default policy. +Since this function is implemented as an update to the current policy, it +underlies the same restrictions. This function may fail if for example +other domains than Domain-0 are running and use a different label than +Domain-0 + +\noindent {\bf Signature:} +\begin{verbatim} xs_policystate reset_xspolicy (session_id s, xs_type type) +\end{verbatim} + +\noindent{\bf Arguments:} + +\vspace{0.3cm} + +\begin{tabular}{|c|c|p{7cm}|} + \hline +{\bf type} & {\bf name} & {\bf description} \\ \hline +{\tt xs\_type } & type & the type of policy \\ \hline + +\end{tabular} + +\vspace{0.3cm} + + + \noindent {\bf Return Type:} +{\tt +xs\_policystate +} + + +State information about the policy. In case an error occurred, the 'xs\_err' +field contains the error code. The 'errors' may contain further information +about the error. \vspace{0.3cm} \vspace{0.3cm} \vspace{0.3cm} Index: root/xen-unstable.hg/tools/python/xen/util/xsm/dummy/dummy.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/xsm/dummy/dummy.py +++ root/xen-unstable.hg/tools/python/xen/util/xsm/dummy/dummy.py @@ -21,6 +21,7 @@ xmlrpc_exports = [ 'list_labels', 'get_labeled_resources', 'set_policy', + 'reset_policy', 'get_policy', 'activate_policy', 'rm_bootpolicy', @@ -102,6 +103,9 @@ def get_labeled_resources(): def set_policy(xs_type, xml, flags, overwrite): err("Command not supported under xsm 'dummy' module.") +def reset_policy(): + err("Command not supported under xsm 'dummy' module.") + def get_policy(): return "", 0